The criticism here seems to be mostly academic about not using the most advanced obfuscation while completely ignoring the actual objective and just how many obstacles were overcome.
The mission used several 0-days and stolen signing keys to get into a secret foreign air-gapped nuclear arms laboratory under a deadline and ruin the machinery while it kept reporting everything was fine. I dont see how this is anything short of amazing.
Yep, I worked in Windows Servicing at the time it came out, there were at least 4 separate completely unknown-at-the-time exploits in Stuxnet. They most likely stole the signing certs by dropping USB keys in an office park in Taiwan, all of the stolen certs were from companies which shared a particular parking lot
Yeah, with a headline like that, I was expecting an article about the international implications regarding why/how something like Stuxnet is even created and deployed in the first place. The technical merits of the operation are the absolute last thing to be embarrassed about.
Do you really think that a military operation that avoided nuclear proliferation without killing a single human life or causing environmental damage is something to be ashamed of?
This is juvenile Monday-morning quarterbacking. Stuxnet was the first (as far as we know). It was revolutionary at the time.
Of course its authors didn't know how agressive antivirus researchers would be, agressive largely because of the fascinating complexity of the code. Almost all malware gets a cursory glance and thrown in the bitbucket after processing.
The first one of anything is always the crudest. Getting away with industrial, state-sponsored cyber-sabotage is a huge step.
> The first one of anything is always the crudest. Getting away with industrial, state-sponsored cyber-sabotage is a huge step.
I know the claim is disputed, but if the CIA did cause the Trans-Siberian pipeline to explode in the '80s then that would count as prior art. Even if true it was nowhere near as complicated as Stuxnet, of course.
But Stuxnet did use obfuscation. The last payload was decrypted by concatenating two environment variables on the host and Symantec never managed to decrypt that one. Did author not read the Stuxnet report?
One thing that I've grown to understand is that the difference between enthusiast and professional is not the quality of goods they produce, but the economy of producing the goods. I feel like that is applicable here.
If we want another example of high-profile security incident that was more embarrassing than impressive, Wannacry fits the bill.
I think it's a bit more subtle than that. Professionals are able to create output that more precisely solve the problem at hand. That means that they will often create output that does less.
In the context of Stuxnet, the professional identified that the problem at hand was to shutdown the Iranian nuclear enrichment facility. They ended up with a piece of code that executed that, but was not maximally obfuscated, because more obfuscation does not solve the problem at hand.
Enthusiast: 4h for the coolest component C, 1h for unnecessary but fun stuff. The rest of components: A, B & D glued from duct tape in 1h.
Quality of C: excellent, quality of the final product: nice demo, but falls apart when exposed to wind.
Professional: 2h for C, 1h for A,B,D each. 1h for testing. Quality of A,B,C and D: good enough. Quality of the final product: gets the job done, withstands winds up to the speeds required in the specs, plus some margin.
I mean, why obfuscate at all? Their malware did its job; after that what does it matter what happens to it? Is not adding additional obfuscation "run-of-the mill" or "amateur" as the author puts it?
In fact, there's no need at all. Some of the most complex malway (viruses, to be specific) every written (Zmist, MetaPHOR), which the post author would "appreciate", never had any wide diffusion; Stuxnet accomplished its task.
All in all, the post author just wanted some attention.
Exactly. If it did the job why showing the enemy (and the world) all your cards, so they can learn your most advanced tricks? It's better to keep some advanced techniques for the next target than to expose them with no need.
Who are we armchair generals to determine what is the needed amount? For all we know, they have a stockpile of thousands of zero days, or more!
Plus, if "attempting to prevent nuclear war" isn't a responsible use of these zero days, then I would love to hear what you think calls for deploying them.
Officially, as in - what has been stated via formal public channels - Stuxnet was implanted to delay Iran's inevitable ability to use sufficient amounts of weapon-grade isotopes c.q to decrease the production by means of sabotaging centrifuges. Not to prevent nuclear war. If there are other or more reasons in play regarding why Stuxnet was implanted, it is something we're not likely to ever find out.
What we do know for a fact is that it's atleast very risky and irrational at best to risk handing over a single let alone eight zero days to a adversary you deem to be bonkers enough to go nuclear since the reluctance to apply them is significantly lower compared to conventional or nbc weapons.
To further answer your final question i'd say it depends on a multitude of factors among them the nature of the 0day, the theater of deployment down to the most mundane operational details and much more. Surely a analysis you do not want to be done by a armchair general indeed, but from the looks of it this might actually exactly be what occurred.
> What we do know for a fact is that it's atleast very risky and irrational at best to risk handing over a single let alone eight zero days to a adversary you deem to be bonkers enough to go nuclear since the reluctance to apply them is significantly lower compared to conventional or nbc weapons.
Only two nuclear weapons have been deployed ever. This single 8 zero day attack already quadruples it. There is absolutely more relectance for nuclear. the "n" is not like the "bc" in nbc.
Delaying Iran's enrichment program and preventing nuclear war are very similar goals. A near-nuclear Iran would likely foment a war in the region, involving at least one other nuclear capable state. Preventing Iran from obtaining weapons is a tactic to prevent the possibility of nuclear exchange in the region. I don't think the distinction you are drawing is valid.
> Only two nuclear weapons have been deployed ever.
… intentionally; if you want to feel a stark sense of wonder that we ever survived the height of the nuclear-weapons age, you could do worse than to read Schlosser's "Command and Control" (https://www.amazon.com/Command-Control-Damascus-Accident-Ill...).
> However, I dont think that necessarily means nukes are taken less seriously than zero-days.
Sure, I didn't mean to argue that; only to point out that saying that only two nuclear weapons had been deployed, even if true in a perfectly reasonable sense, required at least some qualification.
How is it irresponsible? Because it gives away the exploits? That only happens if it gets reverse engineered. The main objective of stopping the nuclear arms enrichment was a more important goal and the security bulletins could be published anytime after the payload was delivered.
They literally found a way to trash an enemy’s weapons of mass destruction equipment without bombing cities and hurting people, but somehow that’s an “embarrassment.”
Attacking infrastructure is an act of war. In 2011 the Pentagon took this stance on cyber warfare:
“For the first time, the Pentagon has decided that cyber attacks constitute an act of war, reports The Wall Street Journal. The U.S. military drafted a classified 30-page document concluding that the U.S. may respond to cyber attacks from foreign countries with traditional military force, citing the growing threat of hackers on U.S. infrastructure such as subways, electrical grids or nuclear reactors.”
It's a classic misunderstanding between "academically viable" and "operationally viable".
The military doesn't need to get an A+. It needs to win. Anything else is a bonus.
Which is why the A-10 is a better plane than the F-35. One shows up and BRRRTs the opposition into a fine red mist, when you need it to. the other makes it pilot motion sick as soon as they put the helmet on.
The A-10 and F-35 are completely different planes for completely different purposes. The F-35 attempts to be able to perform most of the things the A-10 does, but you can't just say one is better than the other overall. The A-10 is probably better at shooting ground targets at close range. The F-35 is better at bombing them from 5 miles away.
It's hard to be good when you work in complete secrecy. A typical malware creator can talk to anyone in the world. If they talk to white hats they just pretend to be on the side of good. The job of a government spook is much harder because of that lack of communication. You are always on the outside looking in...
Random question for HN: How to articles like this get upvoted so much? Virtually all the top comments talk about how this is an amateurish, Monday-morning quarterbacking effort. Is it just spam upvoters?
This reeks of "I could have done it better" but if they accomplished it with what they had what can you really say? Nice to know there were myriad of other "better" ways to do this. But it's not an embarrassment.
There are so many system configuration parameters you can collect to encrypt the payload. If you did so, it should not be too hard to enumerate all of them.
Moreover, the virtual machine-based code obfuscation is being regularly pwned by software cracking teams so I can imagine that obfuscation would only postpone the publication of the tool’s code for a week max.
Just like the NSA Cisco exploit chain. According to armchair programmers it was ugly. But it worked it could take over every Cisco router. it doesn't have to always be pretty if it gets the job done.
The book recommendation at the end, Surreptitious Software, seems interesting. Does anyone know if it is still relevant, or there are newer more relevant books on the market with the same goal?
The authors weighed the risk of not being successful vs the risk of someone analyzing the worm. The latter was inevitable but the former would have been disastrous. Those protections would have only slowed down malware analysts. If this was normal malware that would be the goal, exist for as long as possible without being detected. ‘Normal’ malware has a high tolerance for failure.
In this case the goal appears to be ‘break some sensitive equipment before a particular deadline hits’, with a razor thin margin for error. But your points are not lost, good post.
While some hiding is required to get past the virus scanners... Once it trashed the centrifuges, there is huge value in letting the target know they were pwned. There had to be a huge internal "who's the internal spy/saboteur" hunt that planted it - even if it was accidental - and the weapon grade target of the micro controller to let them know it was no accident.
I'd think a witch hunt is exactly what you'd want if there were no internal saboteurs, though. Getting the enemy to waste time, effort and loyalty like that would be the perfect cherry on top of the physical disruption.
University professor is the only viable career path for basic research. Similarly anyone interested in extraterrestrial robotics can basically only find a job doing that at NASA. It's much easier to attract brilliant people if the private industry doesn't offer any jobs in the field.
Still you see many great professors being hired away into private industry.
And yet, by many metrics (e.g. number of academic prizes), the best University professors work for private Universities like Harvard, Yale, Princeton, and Stanford.
Those same people are also part of the massive research system run and funded by the federal government.
Most medical schools, especially the ones you listed, are incredibly dependent on NIH funding and they'd be unrecognizable without it. Without that support (funding, but also the review process and infrastructure stuff like PubMed and the NCBI tools), very little of the prize-winning work would be possible.
not sure if you're trolling.. there are reproducibility errors in science, but they exist outside of academia too (looking at u pharma).
this "brilliant, nonproductive circle jerk" is also responsible for stupid things like the internet, GPS, and basically the foundation of any medicine you have taken
The NIH, CDC, DoE, NOAA, the various DoD labs (ONR, ARL, AFRL, etc)--and more too. The NSF doesn't have a ton of intramural research, but they have very smart people on staff evaluating recent research and figuring out what to fund next; ditto for DARPA and several other agencies.
It's not just technical stuff either. The FAA has made being shot through the air in a metal tube (i.e., flying) almost absurdly safe, so much so that driving to the airport is more dangerous than the flight itself. I feel comfortable eating food from the supermarket, thanks to the USDA and FDA. The Library of Congress's work is used in libraries around the world; their collections (and the Smithsonian's) are also useful for researchers and fun for the public.
But sure, the real problem is that renewing your driver's license sometimes sucks.
One could argue that, but one would be wrong, in the United States at least. Federal employees swear an oath of office to "support and defend the Constitution of the United States against all enemies, foreign and domestic" (see https://federalnewsnetwork.com/commentary/2019/10/the-oath-o...). It doesn't say anything about supporting either the office or the person of the President.
The president is the commander in chief of the army. The DoD does in fact work for the president. This fact, which is not popular on hn is that the USA wouldn’t exist without the DoD. We’d all be speaking Chinese or Russian. The rest of the federal government wouldn’t exist without the DoD.
I don’t think the oath you quoted is much of an argument.
Working for a government contractor pays a heck of a lot more than working for the government directly, but then you have to ask yourself "do I want to be part of the solution, or part of the precipitate?"
The criticism here seems to be mostly academic about not using the most advanced obfuscation while completely ignoring the actual objective and just how many obstacles were overcome.
The mission used several 0-days and stolen signing keys to get into a secret foreign air-gapped nuclear arms laboratory under a deadline and ruin the machinery while it kept reporting everything was fine. I dont see how this is anything short of amazing.